Hi, (Not sure why, but, when using "Reply to all" in Gmail, it doesn't actually reply to you (or Cc you), only to the mailing list. I had to manually add your email back.) On Sat, May 8, 2021 at 4:25 AM <dwh@xxxxxxxxxxxxxxxxxxx> wrote: > > Hi Everybody, > > I was reading through the > Documentation/technical/hash-function-transition.txt doc and realized > that the plan is to support allowing BOTH SHA1 and SHA256 signatures to > exist in a single object: > > > Signed Commits > > 1. using SHA-1 only, as in existing signed commit objects > > 2. using both SHA-1 and SHA-256, by using both gpgsig-sha256 and gpgsig > > fields. > > 3. using only SHA-256, by only using the gpgsig-sha256 field. > > > > Signed Tags > > 1. using SHA-1 only, as in existing signed tag objects > > 2. using both SHA-1 and SHA-256, by using gpgsig-sha256 and an in-body > > signature. > > 3. using only SHA-256, by only using the gpgsig-sha256 field. > > The design that I'm working on only supports a single signature that > uses a combination of fields: one 'signtype', zero or more 'signoption' > and one 'sign' in objects. Here I understand that your design doesn't support both a SHA1 and a SHA256 signature. > I am thinking that the best thing to do is > replace the gpgsig-sha256 fields in objects and allow old gpgsig (commits) > and in-body (tags) signatures to co-exist along side to give the same > functionality. Is this part of your design, or a, maybe temporary, alternative to it? > That not only paves the way forward but preserves the full backward > compatibility that is one of my top requirements. There has been patches and discussions quite recently about this, that have been reported on in our Git Rev News newsletter: https://git.github.io/rev_news/2021/02/27/edition-72/ You can see that, with the latest patches (not sure the documentation is up-to-date though), signing both commits and tags can now be round-tripped through both SHA-1 and SHA-256 conversions. How isn't that fully backward compatible? Best, Christian.
